04 Sep Threat Hunting is Growing Up in the SOC, Study Finds

Some 40% of cybersecurity organizations say they conduct threat hunting today, according to the 2018 Threat Hunting Report by Cybersecurity Insiders. While that’s just a 5% bump over the same survey conducted last year, the survey also found six out of every 10 respondents say their organizations have plans to build out threat hunting programs over the next three years.

While the concept of threat hunting is still relatively new, the survey this year suggests threat hunting has gained considerable traction. Indeed, 84 percent of those surveyed agreed “that threat hunting should be a top security initiative.”

1) The purpose of a threat hunting program

Threat hunting is the process of seeking out adversaries on a network that are sophisticated enough to evade conventional detection techniques. This survey found that’s the top challenge facing the security operations center (SOC):

39% said emerging or advanced threats are missed by traditional security tools; and

55% said detecting advanced threats – known and unknown – is the top challenge.

That’s a straightforward case for establishing a threat hunting program and the study suggests clearly defined goals fall right into place. The top goals respondents identified for their threat hunting programs are as follows:

56% said “reducing exposure to external threats;”

52% said “improving speed and accuracy of threat response;” and

49% said “reducing the number of breaches.”

While it wasn’t part of this survey, credible threat hunting experts have noted that threat hunting programs serve additional purposes. For example, the knowledge of the technology environment that is gained in the process of threat hunting can be used to improve static detection and overall defenses.

In addition, threat hunting programs can also serve as a valuable professional development tool that doubles as a recruiting and retention benefit. While that’s an ancillary benefit to reducing threats, it’s worth highlighting given the cybersecurity talent shortage the industry is facing.

2) Process, team and task-organization for threat hunting

As threat hunting gains momentum, SOCs may look for ideas on how to best task-organize security teams for a threat hunting program. According to the study, most respondents (56%) said their organization keeps threat hunting in-house and it involves about 17% of the SOC staff.

About one-fifth (22%) of respondents indicated their threat hunting team is a combination that includes in-house staff augmented with help from a managed security service provider (MSSP). Just 11% outsource the entire function to an MSSP.

How much time is dedicated to threat hunting? On average, respondents said they spend about 40% of their time “proactively seeking threats.” When they are looking for threats, the indicators investigated most often are as follows:

67% said behavioral anomalies;

58% said IP addresses;

46% said domain names;

46% said denied or flagged connections; and

32% said file names.

A majority (76%) said that wasn’t enough time which may well be both a reason for – and a barrier to – adopting a threat hunting program. Respondents said some 60% of their time is spent on triaging a deluge of alerts and reacting to events.

The Bro open source software framework is a useful technology to mention here. First, it’s a network traffic analysis and classifications engine that can help security understand network traffic and interpret behavioral anomalies.

Second, the technology can do this because it captures metadata before, during and after identified anomalies that trigger alerts. This data can be used to enrich alerts and provide context for more effective triage – see What is Bro? for an easy-to-read primer.

3) The capabilities to look for in threat hunting platforms

The survey dedicated a significant number of questions to tools designed for threat hunting. Just 40% of respondents said they maintain a threat hunting platform for their security analysts. Interestingly, the report found those with the right tools were able to identify threats 2.5x faster.

Speed of detection was one of the benefits associated with threat hunting platforms. The survey surfaced both the benefits and capabilities respondents look in tools for the tradecraft.

When asked, “What are the benefits of a threat hunting platform?” nearly half of all respondents identified the following:

64% said “improving detection of advanced threats;”

63% said “reducing investigation time;”

59% said “saving time from manually correlating events;”

53% said “reducing time wasted on chasing false leads;”

50% said “discovering threats that could not be discovered otherwise;” and

49% said “creating new ways of finding threats.”

When asked, “What capabilities do you consider most important regarding the effectiveness of a threat hunting tool?” threat intelligence (69%) was top of the list and was followed by:

Constant is not the same as insurmountable. As four-time CEO Ben Levitan noted about managing security costs, “The way to lower cost in security is to become hyper-efficient at the basic stuff: firewalls, intrusion detection, access control, password management without being overly rigid.”

He added that an “option I have seen work well is to avoid proprietary and over-featured products in favor of open source software that addresses the 80% of the problem. I say spend the incremental dollars you save by not implementing proprietary solutions on the newer threats that you may not have had the budget for.”

* * *

The researchers polled 461 cybersecurity and IT professionals and the analysis is 33 pages long and examines nearly as many questions. The full report is freely available for download with registration here 2018 Threat Hunting Report.

See it in Action.

Request a Demo Today.

Bricata Included as a Representative Vendor in the Inaugural Market Guide for Network Traffic Analysis by Gartner, Inc.
“Applying behavioral analysis to network traffic is helping enterprises detect suspicious traffic that other security tools are missing,” wrote Gartner analysts.